28 January 2020
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted a network ID.
An Acceptable Use Policy is an important document that can demonstrate due diligence with regards to the security of your IT network and the protection of sensitive data in the event of a breach or regulatory audit. This importantly protects the organisation from legal actions.
Sometimes referred to as an Internet Usage and E-mail Policy or Acceptable IT Use policy, an AUP policy provide statements as to what behaviour is acceptable from users that work in or are connected to a network.
Many surveys across the IT / IT Security sector such as SANS Institute and from vendors on the threat landscape help provide additional perspective on why an Acceptable Use Policy is critical for your organization. Many of these studies reveal an increase in the loss of business data records over the past 3 years. The most common entry point for threats into a network? End user actions.
The arguments between productivity, protection and privacy can make mobile device security a difficult topic to address. Users are now more comfortable blurring the lines between personal and work when it comes to personal mobile devices, not always thinking about the implications. Most employees do not want to be the cause of a network breach or data loss, yet one in five will do so either through malware or malicious WiFi. All it takes is one infection on one device to impact both corporate and personal data and networks.
We find many in the life-science / biotech sector either have basic UAP or not one at all. Depending on the type of data that passes or is stored on your network, and who/what has access to your network – being lax on this, is a recipe for disaster. An Acceptable Use Policy not enforced with appropriate systems relying on the end user alone to “do the right thing”, affords little protection.
Creating an effective AUP begins by collaborating with relevant stakeholders from human resources, finance, legal, IT, and security. The questions below can provide a good starting point when creating your policy:
As you create your AUP be sure to:
A signed copy of the policy should be included in each employee file, backed up with your vital records and included in your business continuity plan.
If you need more info or would like your existing Acceptable Use Policies reviewed, please contact Exigence on 03-9568-5437 or firstname.lastname@example.org
Sources: SANS Institute, ASD, Exigence, Pivotal, Australian Cyber Security Centre, Techtarget